Lab Strategy
Phase 1 - Plan & Prepare= READ THE ENTIRE LAB FIRST!!! If there is one thing that you MUST do first is read the entire lab. If you start on Section 1.1 then get to Section 5.2 only to realize that you just broke Sections 1.3, 4.4 and 3.6 because you didn't read the entire lab, you're going to have a bad time. Take a little time to read the entire lab, note some possible issues and then create a plan. Plan Your Attack After noting any issues that you can foresee, draw some diagrams or take notes before typing away. It's always a good idea to understand what the BIG PICTURE is at this point. Generally you have some backbone (BB#) routers that are going to inject a shit-ton amount of routes (pure speculation) so first understand the consequences of peering with those at the wrong time. The wrong time would be to try and filter routes before establishing connectivity throughout the domain first. Generally it would make sense to have a very tightly controlled environment in terms of routing and expected behavior. Before jumping into ACLs and VPNs you would want to establish the routing and PKI. When you create your diagram or list off the characteristics of the lab the first thing you should note are the addresses. List ALL of the VLANs that will be needed for the entire lab and make note of where those are to be assigned. Make a note of ALL the IPs that are assigned as well as whether or not there are discontiguous networks or weird IP schemes. =Phase 2 - Basic Connectivity= Interfaces and IP Addressing '''Switches''' Narbik, INE and IPexpert have a variety of switches in their workbooks numbering around 4 - 6 so we'll assume the switch count in the exam could be anywhere from 4-6. Since almost all the traffic will be flowing through the switches, check to make sure that simple configuration is not going to bring you down in the end. Check the VLANs specified in the VLAN list and add those that are missing. Make sure access ports have the correct access VLANs including the AP, phone, desktops, servers and routers. Check the trunking and if there are any, etherchannels. '''Firewalls''' There will most likely be an Active/Passive or Active/Active failover pair so get this up and running after you verify the switch configurations. I wouldn't start putting in ACLs until the routing and connectivity is reached so hold off on those items, just get the main firewall state configured along with the interfaces and IPs. '''Routers''' Make sure the routers have the proper IP address and start the routing configuration with the switches and ASAs. =Checkpoint #1 - Basic Connectivity= Checkpoint #1 is complete when you have configured the following: Switch VLANs Switch access, trunk and port-channel/etherchanne Switch SVI IP assignment ASA Mode and/or Failover ASA Routing Router IP addressing Router IGPs and routing policy =Phase 3 - IPS & WSA= IPS '''SPAN''' More than likely there will be a SPAN port to configure for these tasks. Set up the SPAN sessions and configure the IPS to receive this traffic. There should be in promiscuous, inline interface or inlinve VLAN pair but you don't know which one so prepare for all of them. WSA=